At one point this spring, a single set of money-hungry hackers controlled nearly a quarter of the endpoint infrastructure through which the anonymizing internet browser Tor routed traffic, a researcher who tracks Tor claimed this week.
The unidentified attacker likely used those Tor “exit relays” — the IP addresses through which Tor traffic passes — to manipulate the traffic and mine cryptocurrency, said the researcher, who goes by nusenu. How much bitcoin the attackers were able to generate, if any, remains unclear.
It’s the latest example of how malicious hackers can subvert parts of Tor’s infrastructure for their own gain, and follows another set of malicious Tor activity documented by the same researcher last year. Users ranging from human rights workers in repressive countries to U.S. drug dealers rely on Tor to try to maintain their anonymity online.
“So far, 2020 is probably the worst year in terms of malicious Tor exit relay activity since I started monitoring it about five years ago,” nusenu wrote in an Aug. 9 Medium post. “It demonstrates once more that current checks are insufficient to prevent such large-scale attacks.”
Nusenu showed that, as Tor’s overseers kicked the attackers off of exit relays, the hackers were able to regain a similar level of control over the relays within a month. That cat-and-mouse game looks likely to continue, nusenu’s data shows.
The researcher uses a pseudonym, but draws heavily on Tor’s own data. And independent security researchers said the findings document a known security issue. Computer scientist Neal Krawetz pointed out that the hijacking of Tor nodes for financial gain has been a problem for years.
A spokesperson for the Tor Project, the nonprofit that oversees the software, said the coronavirus pandemic had forced the nonprofit to lay off a third of staff who track malicious relays.
“We still have contributors watching the network and reporting malicious relays to be rejected by our Directory Authorities, but they cannot do this full time,” the spokesperson said. “Our goal is to recover our funds to be able to get that Network Health team back in shape.”
Multiple governments have sought to ban Tor, or undercut it entirely. Court records previously revealed U.S. government efforts to crack the software, while the FBI has deployed techniques to try to subvert Tor’s encryption.
One way of countering the most recent attack, nusenu suggested, would be to require all new Tor relay operators that run more than 0.5% of the Tor network’s “exit or guard capacity” to verify their physical addresses.
“It is a balance between the risk of malicious Tor relay capacity and the required effort for verification,” the researcher wrote.
The Tor Project spokesperson said the nonprofit is considering a “design proposal” that would limit the total number of suspicious relays to some proportion of the network.